Changeset 2a1ffd6 in mod_gnutls
- Timestamp:
- May 31, 2016, 1:12:53 PM (2 years ago)
- Branches:
- debian/master, debian/stretch-backports, master, upstream
- Children:
- 64856fd
- Parents:
- d35b98e
- Location:
- src
- Files:
-
- 2 edited
-
gnutls_ocsp.c (modified) (4 diffs)
-
gnutls_ocsp.h (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_ocsp.c
rd35b98e r2a1ffd6 86 86 return GNUTLS_E_NO_CERTIFICATE_FOUND; 87 87 } 88 gnutls_x509_trust_list_t issuer; 89 int ret = gnutls_x509_trust_list_init(&issuer, 1); 90 if (ret != GNUTLS_E_SUCCESS) 91 { 92 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 93 "Could not create issuer trust list: %s (%d)", 94 gnutls_strerror(ret), ret); 95 goto trust_cleanup; 96 } 88 97 89 /* Only the direct issuer may sign the OCSP response or an OCSP 98 90 * signer. Assuming the certificate file is properly ordered, it 99 91 * should be the one directly after the server's. */ 100 ret = gnutls_x509_trust_list_add_cas(issuer, 92 gnutls_x509_trust_list_t issuer; 93 int ret = mgs_create_ocsp_trust_list(&issuer, 101 94 &(ctxt->sc->certs_x509_crt_chain[1]), 102 1 , 0);103 if (ret != 1)104 { 105 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 106 "Could not populate issuer trust list.");107 ret = GNUTLS_E_CERTIFICATE_ERROR;108 goto trust_cleanup;95 1); 96 if (ret != GNUTLS_E_SUCCESS) 97 { 98 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 99 "Could not create issuer trust list: %s (%d)", 100 gnutls_strerror(ret), ret); 101 return ret; 109 102 } 110 103 … … 205 198 ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, 206 199 "OCSP response has expired at %s!", date_str); 200 /* Do not send a stale response */ 207 201 ret = GNUTLS_E_OCSP_RESPONSE_ERROR; 208 202 goto resp_cleanup; … … 229 223 resp_cleanup: 230 224 gnutls_ocsp_resp_deinit(resp); 231 trust_cleanup:232 225 /* deinit trust list, but not the certificates */ 233 226 gnutls_x509_trust_list_deinit(issuer, 0); … … 265 258 return GNUTLS_E_NO_CERTIFICATE_STATUS; 266 259 } 260 261 262 263 int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl, 264 const gnutls_x509_crt_t *chain, 265 const int num) 266 { 267 int added = 0; 268 int ret = gnutls_x509_trust_list_init(tl, num); 269 270 if (ret == GNUTLS_E_SUCCESS) 271 added = gnutls_x509_trust_list_add_cas(*tl, chain, num, 0); 272 273 if (added != num) 274 ret = GNUTLS_E_CERTIFICATE_ERROR; 275 276 /* Clean up trust list in case of error */ 277 if (ret != GNUTLS_E_SUCCESS) 278 gnutls_x509_trust_list_deinit(*tl, 0); 279 280 return ret; 281 } -
src/gnutls_ocsp.h
rd35b98e r2a1ffd6 19 19 20 20 #include "gnutls/gnutls.h" 21 #include "gnutls/x509.h" 21 22 #include "httpd.h" 22 23 #include "http_config.h" … … 26 27 const char *arg); 27 28 29 /* 30 * Create a trust list from a certificate chain (one or more 31 * certificates). 32 * 33 * tl: This trust list will be initialized and filled with the 34 * specified certificate(s) 35 * 36 * chain: certificate chain, must contain at least num certifictes 37 * 38 * num: number of certificates to load from chain 39 * 40 * Chain is supposed to be static (the trust chain of the server 41 * certificate), so when gnutls_x509_trust_list_deinit() is called on 42 * tl later, the "all" parameter should be zero. 43 * 44 * Returns GNUTLS_E_SUCCESS or a GnuTLS error code. In case of error 45 * tl will be uninitialized. 46 */ 47 int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl, 48 const gnutls_x509_crt_t *chain, 49 const int num); 50 28 51 int mgs_get_ocsp_response(gnutls_session_t session, void *ptr, 29 52 gnutls_datum_t *ocsp_response);
Note: See TracChangeset
for help on using the changeset viewer.
